The first day of Pwn2Own Ireland 2025 wrapped up with a bang, as security researchers uncovered 34 unique zero-day vulnerabilities across various smart devices.
Not a single attempt failed, leading to a total payout of $522,500 in prizes. This event, held in Cork, Ireland, from October 21 to 24, brings together top hackers to test the limits of popular gadgets like printers, routers, and smart home systems.
One of the biggest highlights came from Team DDOS, where Bongeun Koo and Evangelos Daravigkas chained eight different bugs, including several injections, to hack the QNAP Qhora-322 router paired with a TS-453E NAS device in a tough “SOHO Smashup” challenge.
Their success netted them $100,000 and 10 Master of Pwn points, putting them high on the leaderboard.
Other impressive feats included Team Neodyme’s stack buffer overflow on the HP DeskJet 2855e printer for $20,000, and Synacktiv’s root-level code execution on the Synology BeeStation Plus via a stack overflow, earning $40,000.
Researchers targeted printers multiple times, with STARLabs using a heap buffer overflow on the Canon imageCLASS MF654Cdw to win $20,000 in the first round.
Later rounds saw SHIMIZU Yutaro from GMO Cybersecurity snag $10,000 with another stack overflow on the same Canon model, while Team PetoWorks exploited a release of an invalid pointer bug for an additional $10,000.
Team ANHTUD closed out the printer attacks with a heap buffer overflow, also earning $10,000. These repeated wins show how vulnerable everyday office printers can be to serious attacks.
Smart home devices took heavy hits too, with Summoning Team’s Sina Kheirkhah using two bugs to gain code execution on the Synology DiskStation DS925+ for $40,000.
Stephen Fewer from Rapid7 combined three flaws, like a server-side request forgery and command injection, to break into the Home Assistant Green hub, winning $40,000.
Compass Security’s team later used an arbitrary file write and a cleartext data leak on the same device for another $20,000. Meanwhile, dmdung from STAR Labs exploited an out-of-bounds access on the Sonos Era 300 speaker to claim $50,000.
The Philips Hue Bridge saw intense action, starting with Team ANHTUD’s four-bug chain, including overflows and an out-of-bounds read for $40,000.
Hank Chen from InnoEdge Labs followed with an authentication bypass and out-of-bounds write for $20,000 in the second round. Though Team DDOS withdrew their attempt on this bridge, the competition stayed fierce.
DEVCORE Research Team impressed with multiple injections and a rare format string bug on the QNAP TS-453E, securing $40,000. Summoning Team ended strong by exploiting two bugs on the Synology ActiveProtect DP320 appliance for $50,000 more.
A partial collision occurred when McCaulay Hudson from Summoning used four bugs on Home Assistant Green, earning $12,500 despite some overlaps.
Overall, 17 attempts filled the day, covering categories like network storage, printers, and surveillance gear. Summoning Team leads the Master of Pwn standings with 11.5 points after their $102,500 haul.
Team DDOS sits close behind with 10 points, while several others like Synacktiv and Rapid7 hold 4 points each. These points help decide the top hacker title at the end.
Eyes On Days Two And Three For More Action
Pwn2Own Ireland aims to find flaws before real hackers do, with vendors getting 90 days to patch them after disclosure. The event features up to $2 million in prizes, including a massive $1 million for a zero-click WhatsApp exploit.
Day two shifts to more network storage, printers, smart homes, and a first shot at the Samsung Galaxy S25 smartphone. Last year’s event saw over $1 million awarded for 70 bugs, and this year could top that with new targets like wearables from Meta.
Follow updates on social media from organizers like the Zero Day Initiative for live results. As these zero-days get reported, it strengthens security for everyday users relying on these connected devices.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
